Skip to main content
Version: 0.17.6

Setup and Authentication

Identity-Aware Proxy Setup

Google Cloud Platform (GCP) provides the Identity-Aware Proxy (IAP) service to manage user access to web applications and resources hosted on Google Cloud.

To set up IAP:

  1. Create a project in GCP.
  2. Create an HTTPS Load Balancer.
    1. From Load Balancing, select From internet to my VMs or serverless services and Global HTTP(S) Load Balancer (classic).
    2. From Backend Configuration, create a Backend Service.
    3. Choose the corresponding Backend Type. If DataChat is deployed on Google Cloud, choose the appropriate backend type for the host(GCE, App Engine, etc.).
    4. Set the protocol to HTTPS.
    5. Save the backend for backend configuration. If using Internet Backend Endpoint Group:
      1. Under Host and Path Rules select Advanced mode, then edit the host and path rule to point to the created backend.
      2. Open the Add-on Action section, and set the Host Rewrite to the URL where the endpoint points to.
    6. Under Frontend Configuration, set up HTTP and HTTPS for the same IP address, then point a domain to this IP. You need a certificate for the HTTPS configuration. You can use an existing certificate from your domain, generate a new one, or use a Google-managed one.
    7. Save the load balancer.
  3. Enable IAP for the backend service you created before.
    1. Once enabled, click the three dots, then click Get JWT Audience Code.
    2. You can provide access to users by selecting Backend, then clicking Add Principal. Enter the email addresses of the users you would like to add, then select All roles > Cloud IAP > IAP-secured Web App User.

Google Drive Authentication Setup

To setup Google Drive Authentication:

  1. Create a project in your organization.
  2. On the Google Cloud Platform, select your project.
  3. From the menu, select APIs & Services > Library.
    1. Select Google Drive API, then click Enable.
  4. From the menu, select APIs & Services > OAuth Consent Screen.
    1. Select the User Type of Internal. While this does restrict loading to Google Drives within your organization, it avoids lengthy verification processes.
    2. Fill in the required fields for this consent screen. Be sure to click Add Domain then enter your bare domain. (e.g. datachat.ai)
    3. Click Save and Continue then Add or Remove Scopes.
    4. In the filter, enter "drive.readonly", and select https://www.googleapis.com/auth/drive.readonly.
    5. Click the checkbox of this entry, then click Update followed by Save and Continue.
  5. From the dashboard select Credentials.
    1. Click Create Credentials, then click OAuth Client ID.
    2. Select Web application under Application type.
    3. Add one Authorized Redirect URI.
      • This should be the URL you access DataChat with + "/web/cloudauth/".
    4. Click Save, then from the popup, select Download JSON.
      • If you need this file again, you can select the credentials you created from the Credentials menu, and Download JSON.
    5. Rename this file to "gauth_client_secrets.json".
  6. Create the folder "cloudauth" inside your DataChat File System, specified by the "$DATACHAT_FILE_SYS" environment variable.
    1. Move or copy gauth_client_secrets.json to the cloudauth folder.

Add DataChat IP for Read-Only Databases

If you are working from DataChat's cloud platform (apps.datachat.ai), connecting to a read-only database that's behind a firewall might require you to add the following IP addresses to your firewall's allowlist to allow DataChat to access your database:

  • 18.116.2.110
  • 3.130.35.228

Work with your organization's IT team to configure your firewall's allowlist.